2b. Indirect Syscalls intro

Indirect syscalls use a jump to dynamically resolve the syscall location inside ntdll.dll.

Indirect syscalls help avoid detection by maintaining a more natural execution flow.

Indirect Syscall Workflow:

1. Locate the ntdll.dll export for the target syscall dynamically at runtime.
2. Extract the syscall stub address and jump to its location.
3. Execute the syscall via the legitimate ntdll.dll mapping, maintaining a normal call stack.
4. Return the result to user-mode.
   https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls